ISPs say your Web browsing and app usage history isn’t “sensitive”

ISP lobby groups make case against the FCC’s broadband privacy rules.

ISPs that want the federal government to eliminate broadband privacy rules say that your Web browsing and app usage data should not be classified as "sensitive" information.

"Web browsing and app usage history are not 'sensitive information,'" CTIA said in a filing with the Federal Communications Commission yesterday. CTIA is the main lobbyist group representing mobile broadband providers such as AT&T, Verizon Wireless, T-Mobile USA, and Sprint.

The FCC rules passed during the Obama administration require ISPs to get opt-in consent from consumers before sharing sensitive customer information with advertisers and other third parties. The FCC defined Web browsing history and app usage history as sensitive information, along with other categories such as geo-location data, financial and health information, and the content of communications. If the rules are overturned, ISPs would be able to sell this kind of customer information to advertisers.

Further Reading

The opt-in rules are scheduled to take effect on or after December 4, 2017, but ISPs have petitioned the FCC to eliminate the rules before that happens. The latest CTIA filing was a reply to groups that opposed the petition to overturn the rules.

In making its argument that Web browsing and app usage history are not sensitive information, CTIA said that the Federal Trade Commission has taken a different stance than the FCC.

"To justify diverging from the FTC's framework and defining Web browsing history as 'sensitive,' the commission and the [privacy rule supporters] both cherry-picked evidence in an attempt to show that ISPs have unique and comprehensive access to consumers' online information," CTIA wrote. "As the full record shows, however, this is simply not true. Indeed, even a prominent privacy advocacy organization asserted that it is 'obvious that the more substantial threats for consumers are not ISPs,' but rather other large edge providers."

That last statement quotes a filing by the Electronic Privacy Information Center, which nonetheless supports privacy rules for ISPs. "Privacy rules for ISPs are important and necessary, but it is obvious that the more substantial privacy threats for consumers are not the ISPs," the advocacy group said. The bigger threat is posed by "the largest email, search, and social media companies," the group said.

Those "edge providers" are regulated by the FTC, but the FTC is not allowed to regulate home and mobile Internet service providers because of their status as common carriers. The ISPs' common carrier classification could be changed by the FCC or Congress, but even then the FTC might not be able to regulate ISPs such as AT&T and other CTIA members because they would still be common carriers via their mobile voice services.

Consumer advocates protest, but privacy rules unlikely to survive

Public Knowledge and other consumer advocacy groups argued that the FCC was correct to classify Web browsing and app usage history as sensitive information.

"It is clear that even with encryption, ISPs can glean information about political views, sexual orientation, and other types of sensitive information," the advocacy groups wrote in an FCC filing on March 6. "As is true with call history and video viewing history, Web browsing history is sensitive and should require affirmative consent before use by ISPs." The groups also argued that this approach is "consistent with the FTC's framework."

The privacy rules are unlikely to survive, as they are opposed both by the new FCC chairman, Republican Ajit Pai, and Republicans in Congress. What's less clear is whether the FCC will have any authority over ISPs' privacy practices after the rules are eliminated.

According to Morning Consult, Pai told senators at a recent hearing that "carriers would still have their obligations under Section 222 [of the Communications Act] in addition to other federal and state privacy, data security, and breach notification requirements." Section 222 governs common carriers generally, but it was written for telephone networks in 1996 and makes no mention of Internet service.

CTIA argued that the FCC and privacy rule supporters "ignored facts and arguments in the record that Section 222 cannot be extended to broadband service." Moreover, CTIA claims that Section 222's use of the phrase "customer proprietary network information" demonstrates that the regulation doesn't necessarily cover "personal" information. Section 222 provisions "apply only to commercially valuable—not personal—information," the group said.

Even if the FCC asserts some authority over ISPs via Section 222, it's clear that in the long run Chairman Pai does not want the FCC regulating broadband privacy. He recently issued a joint statement with acting FTC Chairwoman Maureen Ohlhausen that said, "jurisdiction over broadband providers' privacy and data security practices should be returned to the FTC."

Sooo... These same executives of these ISPs would have no problem with someone following them around in public and filming/documenting their day to day activities and then publishing that to the public?

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

HTTPS everywhere (possible). Run through a VPN. It's BS that we, as consumers, have to take such steps, but really, just assume absolutely no one is looking out for you, and in fact are actively working against your privacy, so take control over your own data. No doubt there will be an attempt to criminalize encryption in the next 4 years...

HTTPS everywhere (possible). Run through a VPN. It's BS that we, as consumers, have to take such steps, but really, just assume absolutely no one is looking out for you, and in fact are actively working against your privacy, so take control over your own data. No doubt there will be an attempt to criminalize encryption in the next 4 years...

https protects the content of your packets, but the ISP can still see what servers you are making connection to, whether that's Ars, Google, change.org or whatever, I think?

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

On the upside, VPNs are able to compete relatively freely, which means there is room for privacy focused VPNs (which of course there already are). Can't say the same of ISPs.

I wonder how those executives would feel to have someone following them around all the time, reporting on where they went and what they were doing. nm. I think i already know: https://youtu.be/TK_yolYCnKw

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

Soon people will be reduced to what they do in Cuba, a booming underground trade in data-sticks.

I had to figure out why that "privacy group" thought edge providers were more of a threat to privacy, and it's because they assume:

Quote:

Internet users routinely shift from one ISP to another, as they move between home, office, mobile, and open WiFi services. However, all pathways leadto essentially one Internet search company and one social network company.

So, because we all have such a great ability to swap ISP's all the time (lawl), Google and Facebook (literally the biggest companies on the internet) are a bigger threat because they're popular and people like to use them. Oh, and mobile phones can connect through different wifi hubs, so ISP's don't matter. Damn the fact that the mobile network ISP can track you, just be sure to connect to every wifi hotspot you find to cover your privacy.

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

On the upside, VPNs are able to compete relatively freely, which means there is room for privacy focused VPNs (which of course there already are). Can't say the same of ISPs.

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

Corporations require their telecommuters to use VPNs. Don't know if that is enough of a userbase to stop them.

My big problem with this isn't whether or not they are allowed to do it, but the fact that if they do, I won't be able to vote with my wallet and switch to an equivalent tier of service that doesn't engage in this practice. We have exactly one provider that offers anything over 3Mbs, and that's Comcast. I honestly can't say anything bad about their service. It works as advertised and they're much more reliable than the power company around here. But I'm stuck with them and if/when they try to do this BS, well I'm still stuck with them since I have no options.

It shouldn't be too difficult to create rules on my router to funnel most traffic through a VPN provider. I'll leave encrypted streaming media traffic alone as that shouldn't provide them too much info, I hope.

Sooo... These same executives of these ISPs would have no problem with someone following them around in public and filming/documenting their day to day activities and then publishing that to the public?

It's more along the lines of finding out their loan history at the library and video store. Or netflix viewing history. Those first two are actually protected.

The bigger threat is posed by "the largest email, search, and social media companies," the group said.

I love their argument of 'well Google can do more damage with the data they get...' completely missing the point of a person's PREFERENCE to use Google. Don't like Google spying on your email? Don't use Google, use something else. There are hundreds of email providers out there...

2/3 of Americans only have 1 viable choice for internet... So yeah... there is a big difference...Don't like Comcast spying on all of your internet traffic... you are screwed because that is your only option.

It shouldn't be too difficult to create rules on my router to funnel most traffic through a VPN provider. I'll leave encrypted streaming media traffic alone as that shouldn't provide them too much info, I hope.

Yeah, as was discussed the last time an article like this was posted, figuring out a whitelist for streaming providers is kinda a huge pain in the ass.

...it occurs to me that device-specific VPN usage (managed at the router level) could be the superior solution. If you have enough smart tvs or old computers to devote exclusively to media consumption.

My big problem with this isn't whether or not they are allowed to do it, but the fact that if they do, I won't be able to vote with my wallet and switch to an equivalent tier of service that doesn't engage in this practice. We have exactly one provider that offers anything over 3Mbs, and that's Comcast. I honestly can't say anything bad about their service. It works as advertised and they're much more reliable than the power company around here. But I'm stuck with them and if/when they try to do this BS, well I'm still stuck with them since I have no options.

Of course this information is sensitive. But the first step is for consumers to act like they care about protecting their information. We are sending mixed signals when we freely post every detail of our lives on facebook, but get upset over the idea that someone tracks that we accessed facebook.com. That's not a perfect analogy, but it's easy to see why companies feel like they can get away with these abuses.

For example, right now I am watching the NCAA basketball tournament online. To do so, I had to disable ad blocking for cbssports.com. That doesn't mean I stopped caring if their advertisers are able to track me, but that I value the content more. Consumers need a stronger voice to communicate their actual preferences, because our online behavior is not accurately reflecting our concerns. The FCC is one venue, but we shouldn't pretend they are a body representative of anything other than the politicals in charge.

Just don't pay with a credit card: these outfits -- even if they themselves are decent folk -- have to work with some sketchy operators because aboveboard financial service providers won't work with them. Cryptocurrency is getting to be the only way to go.

VPN tunnels or TOR might help. . . but then your endpoint is always a potential point of leakage.

On that note, how soon until ISPs claim the right to be able to block tunnels on 'non-premium' subscriptions.

After all, if ISPs have 100 percent right to do whatever they want with their (monopoly status granted by local governments) network, what's to stop them from just blocking all VPN connection attempts?

Soon people will be reduced to what they do in Cuba, a booming underground trade in data-sticks.

Of course this information is sensitive. But the first step is for consumers to act like they care about protecting their information. We are sending mixed signals when we freely post every detail of our lives on facebook, but get upset over the idea that someone tracks that we accessed facebook.com. That's not a perfect analogy, but it's easy to see why companies feel like they can get away with these abuses.

For example, right now I am watching the NCAA basketball tournament online. To do so, I had to disable ad blocking for cbssports.com. That doesn't mean I stopped caring if their advertisers are able to track me, but that I value the content more. Consumers need a stronger voice to communicate their actual preferences, because our online behavior is not accurately reflecting our concerns. The FCC is one venue, but we shouldn't pretend they are a body representative of anything other than the politicals in charge.

I don't think that it is as confusing as you think. In both of your examples, the user is (at least theoretically) giving up their privacy in return for some good they think is worth it. In your examples, free facebook and basketball.

But I pay my ISP to use it, so I'm not getting anything in return for them stealing my data.

Of course this information is sensitive. But the first step is for consumers to act like they care about protecting their information. We are sending mixed signals when we freely post every detail of our lives on facebook, but get upset over the idea that someone tracks that we accessed facebook.com. That's not a perfect analogy, but it's easy to see why companies feel like they can get away with these abuses.

For example, right now I am watching the NCAA basketball tournament online. To do so, I had to disable ad blocking for cbssports.com. That doesn't mean I stopped caring if their advertisers are able to track me, but that I value the content more. Consumers need a stronger voice to communicate their actual preferences, because our online behavior is not accurately reflecting our concerns. The FCC is one venue, but we shouldn't pretend they are a body representative of anything other than the politicals in charge.

I don't think that it is as confusing as you think. In both of your examples, the user is (at least theoretically) giving up their privacy in return for some good they think is worth it. In your examples, free facebook and basketball.

But I pay my ISP to use it, so I'm not getting anything in return for them stealing my data.

Right.

Hopefully someone will sue them for theft. We pay them for service, and then they take (clearly valuable) data from us to resell and offer us no compensation.